- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- New Configuration Questions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New Configuration Questions
Hi all,
we are changing a HA platform and so we are checking for new ideas and securing the configuration.
One thing is that we have a VIP in a DMZ and we have to get rid of it. Is it recommendable to create an extra Interface just for the VIP to avoid problems in segmentation?
The same problem with the VIPs for the cameras, we would like to move them to an isolate "camera" interface.
Thanks for your ideas!
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To me it's not about VIPs or no VIPs, but it's about what are on the current DMZ interface. If it's serving multiple customers proprietary devices or VMs, you should probably have separated when you built it originally. Or if a part belongs to credit card related, in other words in the PCI-DSS domains, you have to separate/isolate it as much as possible.
Otherwise, external access is controlled by those VIPs specifically to individual devices in the DMZ, I wouldn't worry much if they're in one DMZ or multiple ones per function.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or, if those devices need to communicate each other, which you need to control/regulate, you need to put them on different interfaces so that you can apply policies between them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. **VIP in a DMZ:**
- **Purpose of DMZ:** DMZs are typically used to isolate and secure services that need to be accessible from the internet while protecting your internal network. If your VIP serves a purpose that aligns with DMZ principles (e.g., a web server, email server), it's generally recommended to keep it in the DMZ.
- **Separate Interface:** Creating a dedicated interface for the VIP in the DMZ can help with network segmentation and improve security. This approach ensures that traffic to and from the VIP is isolated from other internal network traffic.
2. **VIPs for Cameras:**
- **Camera Isolation:** Isolating cameras on a dedicated "camera" interface is a good idea from a security standpoint. This helps prevent potential camera vulnerabilities from affecting other parts of your network.
- **Traffic Management:** Consider how you will manage traffic between the camera VIPs and other parts of your network that may need access to camera streams. You may need to set up rules or access controls to allow necessary communication.
When implementing these changes, keep these best practices in mind:
- **Access Control:** Use firewalls and access control lists (ACLs) to control traffic to and from the VIPs. Only allow necessary traffic, and block all other traffic to enhance security.
- **Monitoring:** Implement monitoring and logging for the VIPs to detect and respond to any security incidents or issues promptly.
- **Redundancy:** Ensure that your new HA platform maintains the necessary redundancy and failover capabilities, especially if you're making significant changes to the infrastructure.
- **Documentation:** Document your configurations thoroughly, including network diagrams, firewall rules, and access policies. This documentation is crucial for maintaining and troubleshooting your network.
- **Testing:** Before implementing these changes in a production environment, thoroughly test them in a controlled environment to identify any potential issues or conflicts.
- **Compliance:** Ensure that your changes align with any industry-specific regulations or compliance requirements that your organization must adhere to.
Remember that network configurations can vary based on the specific requirements and constraints of your organization, so it's essential to tailor your approach to your unique needs and security policies. Additionally, consider involving network and security experts if you're unsure about the best practices for your specific situation.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for your input.
The idea is to move these "unimportant traffic" away from the DMZ. The config is like >10 years so maybe sometime it made sense, but e.g there is just one VIP service to a VM left and I would like to move it to a new interface just for this external access and deal with inside policies to secure access.
The same with the cameras, they can be accese via web portal and I dont see any reason why it should be in the same inteface than LAN or DMZ.
For me it would be a new aspect, like having more interfaces and more segments to secure everything and the only disadvantages I see maybe in FW performance???
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you already have a good idea/plan what they should look like. There is no hard rule how they should or have to. You just need to follow your basic security principles and re-built them.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like your plan to move "unimportant traffic" away from the DMZ and create new interfaces for specific services like the VIP and cameras is a reasonable approach, especially if the existing configuration is outdated and doesn't align with your current security and segmentation needs. Here are some additional considerations:
1. **Network Segmentation:** Creating additional interfaces and segments for specific services can enhance your network's security posture. It allows you to apply different access control policies and firewall rules to each segment, reducing the attack surface and potential impact of security incidents.
2. **Performance Considerations:** While adding more interfaces and segments can increase the complexity of your network, it may not significantly impact firewall performance unless you're dealing with very high traffic loads or using older hardware. Modern firewalls are designed to handle multiple interfaces and segments efficiently. However, it's essential to monitor performance during and after the implementation to ensure it meets your requirements.
3. **Access Control and Policies:** With this approach, you'll have the flexibility to define granular access control policies for each segment, which can improve security. Make sure to thoroughly plan and document these policies to ensure they align with your organization's security requirements.
4. **Monitoring and Logging:** Implement robust monitoring and logging for each segment to detect and respond to any security incidents or abnormal activities. Centralized logging and analysis can provide insights into network traffic and potential threats.
5. **Testing:** Before implementing these changes in a production environment, perform thorough testing in a controlled environment to identify any issues or conflicts. This testing will help you refine your configurations and ensure a smooth transition.
6. **Documentation:** Keep comprehensive documentation of the new network configuration, including diagrams, firewall rules, access policies, and any changes made. Documentation is essential for troubleshooting, auditing, and future reference.
7. **Regular Audits:** Periodically review and audit your network configuration and access control policies to ensure they remain effective and aligned with your security goals. Security requirements and threat landscapes can change over time, so it's crucial to adapt as needed.
Overall, your approach to segmenting and securing your network is a proactive step toward improving security and aligning your network architecture with current best practices. Just be mindful of performance considerations and ensure that the segmentation strategy effectively meets your organization's security objectives while maintaining the necessary functionality for your services.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,152 -
FortiClient
1,411 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
374 -
FortiSwitch
372 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1061 | |
| 887 | |
| 527 | |
| 441 | |
| 151 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.